Opened 15 months ago
Last modified 2 weeks ago
#59485 reopened defect (bug)
Invalid username
Reported by: | rinkalpagdar | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 6.3.1 |
Component: | Users | Keywords: | has-patch needs-unit-tests |
Focuses: | Cc: |
Description
Steps to reproduce this issue in the latest WordPress.
=>Go to WordPress admin
=>Register new user with username dot "."
=>It will create a user with username dot and blank user_nicename
I have provide solution here.
Thanks!!
Attachments (2)
Change History (9)
#5
follow-up:
↓ 6
@
2 weeks ago
Hi @rinkalpagdar,
Thank you for your thoughtful suggestion regarding username sanitization. The sanitize_user()
function would indeed be a more appropriate choice than sanitize_title()
, as it has been specifically designed for username sanitization in WordPress.
https://developer.wordpress.org/reference/functions/sanitize_user/
#6
in reply to:
↑ 5
;
follow-up:
↓ 7
@
2 weeks ago
- Keywords needs-unit-tests added
Replying to ankitkumarshah:
The
sanitize_user()
function would indeed be a more appropriate choice thansanitize_title()
, as it has been specifically designed for username sanitization in WordPress.
Correct, sanitize_title()
would replace dots with hyphens in a username, which might not be appropriate here, see #17239 / #36286 and #17904.
It is worth noting, however, that we already run sanitize_user()
in wp_insert_user()
on line 2156 above, so if that's not enough, this might need a closer look. A unit test would be helpful to demonstrate the issue.
#7
in reply to:
↑ 6
@
2 weeks ago
Replying to SergeyBiryukov:
Replying to ankitkumarshah:
The
sanitize_user()
function would indeed be a more appropriate choice thansanitize_title()
, as it has been specifically designed for username sanitization in WordPress.
Correct,
sanitize_title()
would replace dots with hyphens in a username, which might not be appropriate here, see #17239 / #36286 and #17904.
It is worth noting, however, that we already run
sanitize_user()
inwp_insert_user()
on line 2156 above, so if that's not enough, this might need a closer look. A unit test would be helpful to demonstrate the issue.
Hi @SergeyBiryukov,
Thank you for pointing this out. You're absolutely right - I missed that wp_insert_user()
already implements sanitize_user()
on line 2156. This makes the additional sanitization redundant in this context.
Hi There
Welcome to Core Trac.
Nice catch on this issue. But with your patch, it looks like
sanitize_title
is not enough to validate the username. Also, we should keep the username length within some range.For now, there is a validation of username length of more than 60. Let's see other developer's suggestions to improve this.